[00:05.910 --> 00:11.050]  Welcome, DEF CON travelers. You found Ticketing to Takeoff, an airport
[00:11.050 --> 00:15.010]  hacking choose your own adventure, brought to you by
[00:15.010 --> 00:19.590]  the Aerospace Village at DEF CON. I'm Liz Wharton,
[00:19.590 --> 00:23.170]  Chief of Staff at Scythe, but today I will merely be
[00:23.170 --> 00:27.570]  your narrator, your guide, helping you through the decisions
[00:27.990 --> 00:31.490]  that have already been made because you've made
[00:31.490 --> 00:35.450]  and created and voted on this adventure.
[00:35.450 --> 00:40.090]  When we talk about airports and airport cybersecurity,
[00:40.090 --> 00:43.130]  and particularly when we talk about the aviation
[00:43.130 --> 00:48.230]  industry, cybersecurity in general, what we're forgetting is how far
[00:48.230 --> 00:53.510]  airlines and airports have come. That as we've become more digitized, as
[00:53.510 --> 00:58.370]  everything is connected, as air travel has grown, so has the
[00:58.370 --> 01:02.550]  threat landscape, and so has, well, the attacks,
[01:02.550 --> 01:05.630]  vulnerabilities, and the pieces that make up this
[01:05.630 --> 01:09.370]  adventure. Decisions that you've made from the time
[01:09.370 --> 01:14.530]  you leave your home to transportation to the airport,
[01:14.530 --> 01:20.290]  departures, decisions made during flight, arrival, transit to your destination,
[01:20.290 --> 01:24.290]  all provide, well, additional players and pieces,
[01:24.290 --> 01:29.170]  but additional threats and opportunities for bad actors.
[01:29.170 --> 01:36.750]  As the GAO noted in a recent report, that airlines and their IT infrastructure
[01:36.750 --> 01:40.690]  and their systems also provide opportunities for potential
[01:40.690 --> 01:44.730]  IT outage effects from planning the trip,
[01:44.730 --> 01:50.850]  reservations, frequent flyer systems, to check-in, to boarding, to at the
[01:50.850 --> 01:53.030]  airport, with the airline's mobile app, the
[01:53.030 --> 01:56.470]  airport kiosk, the check-in, the boarding, the baggage,
[01:56.470 --> 02:00.250]  the planes, the flight planning, the dispatch, all of these
[02:00.250 --> 02:03.910]  come together and have potential outage effects
[02:03.910 --> 02:07.910]  on, in some cases, systems that were not built
[02:07.910 --> 02:14.270]  nor designed for the amount of impact that they have. But when we look at
[02:14.270 --> 02:18.230]  the playing field for our adventure today,
[02:18.230 --> 02:23.070]  the attack surface, it's not bounded like you find in most, in fact, it's quite
[02:23.070 --> 02:26.070]  expansive. As you'll be traveling through our
[02:26.070 --> 02:31.170]  fictitious airports, you'll notice that, well, not everything is in the same
[02:31.170 --> 02:36.030]  place. Not every airport is designed differently. So to create and
[02:36.030 --> 02:40.030]  craft policies, procedures, all the different
[02:40.030 --> 02:43.770]  pieces that will go into what I hope you gain
[02:43.770 --> 02:48.210]  from today's conversation and, well, future conversations, is that
[02:48.210 --> 02:52.490]  airports and securing airports, be it the physical,
[02:52.490 --> 02:56.970]  the systems, the software, all of the pieces that come into play airports,
[02:56.970 --> 03:03.270]  is not easy. In fact, we may not even get through or scratch the surface
[03:03.270 --> 03:06.990]  of all the different parts because, well,
[03:07.520 --> 03:12.510]  who knows, between cyber squirrels and different choices that are made,
[03:12.510 --> 03:16.170]  you may not even get past, well, ticketing.
[03:16.170 --> 03:21.070]  Because within the airport attack surface, you also have a lot of players.
[03:21.090 --> 03:27.190]  You have from air traffic control to the many cities that airports truly
[03:27.190 --> 03:31.510]  are, to security, to your gate. It's a minefield.
[03:32.090 --> 03:36.170]  Protected and controlled by airlines themselves.
[03:36.170 --> 03:40.350]  Each of the airlines plays a part in this. The airport authorities,
[03:40.350 --> 03:43.950]  be it the local governments or other authorities,
[03:43.950 --> 03:47.910]  to the different, well, local law enforcement,
[03:47.910 --> 03:54.690]  to the FAA, DHS, security, concessions, vendors, the electricity, all the
[03:54.690 --> 03:59.750]  different telecommunication services that flow into each airport, well, those
[03:59.750 --> 04:03.630]  are a different provider. For example, at the Atlanta Airport,
[04:03.630 --> 04:07.190]  power is provided by Georgia Power under different agreements that have been
[04:07.190 --> 04:11.970]  put into place. So whether those provide opportunities
[04:12.410 --> 04:15.250]  for protection or vulnerabilities
[04:17.250 --> 04:22.370]  is open. Also, you have to look at the third-party providers, the multi-use
[04:22.370 --> 04:27.270]  software and systems. For example, Garmin recently provided a
[04:27.270 --> 04:30.890]  great example of, well, when we think of Garmin, what do we
[04:30.890 --> 04:35.770]  really think of? Do we think of the watch, the directions, you know,
[04:35.770 --> 04:40.430]  our tracking, our steps, etc.? Do we really think of the fact that
[04:40.430 --> 04:44.670]  Garmin provides aviation services, from flight planning
[04:44.670 --> 04:48.330]  to mapping, and that when a ransomware attack
[04:48.330 --> 04:55.430]  hits Garmin, that it's also impacting the avionics, the
[04:55.430 --> 04:58.910]  airport? And a shameless plug for a breakdown
[04:58.910 --> 05:04.150]  of the recent Garmin ransomware attack and attack factors, check out
[05:04.890 --> 05:11.490]  Threat Thursday in the notes. And when we're talking and weaving our
[05:11.490 --> 05:15.790]  narrative story today, we also have to look at what is the
[05:15.790 --> 05:18.450]  intent. That when we have incidents such as
[05:18.450 --> 05:24.250]  glitches, breaches, and, well, Agent Cyber Squirrel hitting airports,
[05:24.250 --> 05:28.830]  the intent and the result matter, but sometimes don't.
[05:29.190 --> 05:35.230]  Is chaos criminal carnage, or really is it just an oopsie that
[05:35.230 --> 05:40.530]  results in chaos, criminal activities, or carnage?
[05:40.910 --> 05:44.590]  And further, what are the incident impacts?
[05:44.590 --> 05:51.650]  That a power outage at Delta's operations center in August of 2016,
[05:51.650 --> 05:55.950]  $150 million and two days worth of cancellations.
[05:55.950 --> 06:01.330]  That a software glitch with one vendor provided worldwide
[06:01.330 --> 06:04.830]  check-in and booking issues. That a data breach
[06:05.430 --> 06:09.190]  results in fines at one airport. That a
[06:09.190 --> 06:18.010]  Southwest computer outage led to $177 million of damages
[06:18.010 --> 06:22.590]  and three days of outages and flight disruptions.
[06:22.590 --> 06:26.830]  All of these potentially could have been worse, and all of them,
[06:26.830 --> 06:31.050]  well, potential threats. So from ticketing to takeoff,
[06:31.050 --> 06:35.150]  it's going to be quite an adventure. Shall we begin?
[06:36.550 --> 06:43.030]  And beware and warning, because this talk is different from other talks,
[06:43.030 --> 06:46.730]  other technical talks, and other talks in the aerospace village.
[06:46.730 --> 06:52.830]  For in this talk, you and you alone, assuming you voted in the Twitter polls,
[06:53.350 --> 06:59.790]  are in charge of what happens. The mission was to see if you
[06:59.790 --> 07:03.750]  and your data can make it safely to your flight
[07:03.750 --> 07:08.270]  from ticketing to takeoff. You have to dodge the delays
[07:08.270 --> 07:14.870]  and the data breaches. And so, shall we begin? It's time to pack
[07:14.870 --> 07:20.390]  your things and head to the airport. And our first decision point...
[07:20.390 --> 07:23.770]  do you decide to pack it all? Check a bag? I mean,
[07:23.770 --> 07:27.330]  you're going to Vegas for a week for DEFCON
[07:27.990 --> 07:33.710]  and all of the other villages. Or do you bring a carry-on? Put everything
[07:33.710 --> 07:37.110]  in a bucket and see what happens. Well,
[07:37.870 --> 07:43.830]  you chose a carry-on. Wise move, because airline baggage
[07:43.830 --> 07:50.050]  check-in and tracking has the potential for delays, not to mention
[07:50.050 --> 07:54.430]  data breaches. So now that you've got your backpack on
[07:54.430 --> 07:58.210]  and you're about to head out, it's a digital and app world.
[07:58.210 --> 08:01.550]  Who even has a printer at home these days? So when it comes to your
[08:01.550 --> 08:04.770]  boarding pass and your ticket, do you print it at home?
[08:04.890 --> 08:08.050]  Do you use the airline's app boarding pass?
[08:08.150 --> 08:13.090]  Or, like me, I do a combination. I also take a screenshot of my boarding
[08:13.090 --> 08:16.710]  pass should something go wrong. Well, almost
[08:16.710 --> 08:20.410]  evenly split, but did you choose wisely?
[08:20.410 --> 08:26.890]  You chose to print your boarding pass at home. Well, well done,
[08:26.890 --> 08:31.010]  because ticketing frequently leads to, well,
[08:31.010 --> 08:37.830]  delays and data breaches. So now that you have your bags packed,
[08:37.830 --> 08:41.910]  your tickets in hand, and you're heading into the airport,
[08:41.910 --> 08:46.650]  you know that sometimes there are long lines at ticketing and check-in.
[08:46.650 --> 08:50.290]  And what if you want to switch your seat before you actually board the flight
[08:50.290 --> 08:54.450]  depending on what you see around you? So,
[08:54.450 --> 08:58.110]  DEFCON safe mode, secure aerospace travelers,
[08:58.110 --> 09:03.970]  what do you decide to do? Overwhelming majority, you chose to check
[09:03.970 --> 09:07.910]  in online with the 24-hour advance window,
[09:07.910 --> 09:14.370]  avoiding the kiosks, and, well, the airline app, because you know
[09:14.370 --> 09:19.030]  the check-ins are, well, the threat there are delays.
[09:19.070 --> 09:23.070]  So much so that when a third-party provider
[09:23.670 --> 09:29.930]  covers, well, most of the airlines, you see a 30-minute outage of their
[09:29.930 --> 09:34.350]  software can lead to three airlines going down.
[09:35.110 --> 09:39.630]  A couple days later, a different airport service provider
[09:39.630 --> 09:48.910]  covered five airlines in 40 minutes. Saver was at it again on April 29th,
[09:48.910 --> 09:52.930]  just less than a month later, 90 minutes,
[09:52.930 --> 09:56.950]  three airlines. So you've checked in online,
[09:56.950 --> 10:00.270]  you've shown up at the airport, and you're a seasoned road
[10:00.270 --> 10:04.150]  warrior, even if it seems like forever since,
[10:04.150 --> 10:08.310]  well, our last flight. Cutting it close to departure time,
[10:08.310 --> 10:12.130]  and it's a big airport. Flying on a weekday morning,
[10:12.130 --> 10:19.130]  bold move. Are you feeling lucky? So for decision for the fourth decision
[10:19.130 --> 10:22.570]  point, DEFCON safe mode, secure aerospace
[10:22.570 --> 10:27.810]  travelers, what did you decide to do? TSA pre-check,
[10:27.810 --> 10:34.410]  clear, or regular TSA security lines? Most of us
[10:34.410 --> 10:38.570]  seemed, most of you seem to be, well, hesitant with the facial recognition
[10:38.570 --> 10:42.590]  that comes with clear, but you're okay with providing some data
[10:42.590 --> 10:48.610]  and information because you're TSA pre-check. Well, what seems like a
[10:48.610 --> 10:51.630]  safe move could lead to delays
[10:52.110 --> 10:58.110]  and a data breach. Well, here's what happens. Is it
[10:58.110 --> 11:01.270]  security theater where you have moving parts
[11:01.270 --> 11:06.750]  and multiple players? Because when you have nationwide U.S. Customs computer
[11:06.750 --> 11:11.490]  outages causing gigantic lines at airports,
[11:11.490 --> 11:18.650]  you had JFK, LAX, SFO, Philadelphia, O'Hare, Midway, SeaTac,
[11:18.650 --> 11:22.390]  and other airports all confirming delays,
[11:22.390 --> 11:28.330]  our airport is probably hit by those. So not only do you have a delay with
[11:28.330 --> 11:32.470]  pre-check, but one of the recent trends has been
[11:32.470 --> 11:38.470]  for one provider to provide some of the software and
[11:38.470 --> 11:44.090]  systems support for TSA. In this case, facial recognition
[11:44.810 --> 11:48.370]  software provider and systems provider MEC
[11:49.050 --> 11:53.450]  well, pretty much covers European airports
[11:53.450 --> 11:59.870]  and most airports across the U.S. And while they take a long time to
[11:59.870 --> 12:02.910]  admit it, they've had a breach. The facial
[12:02.910 --> 12:08.950]  recognition data collected by U.S. airlines and U.S. citizens
[12:08.950 --> 12:14.910]  is stored for 12 hours, for between 12 hours and
[12:14.910 --> 12:20.250]  two weeks, and 75 years for non-U.S. citizens.
[12:20.250 --> 12:22.850]  And that data is stored in several government databases
[12:23.590 --> 12:27.890]  which border officials can pull up when you're arriving or leaving the U.S.,
[12:27.890 --> 12:33.450]  including at airports. And well, MEC is not very good
[12:33.990 --> 12:38.070]  at confirming their security breaches or giving a lot of detail.
[12:38.070 --> 12:41.610]  So in this case, you didn't avoid the delays
[12:42.190 --> 12:47.390]  and you didn't avoid the data breach, but you made it through security.
[12:47.630 --> 12:51.770]  Because when you have these data breaches, well,
[12:51.770 --> 12:58.810]  quite frankly, what are you going to do? Well, worrying about that check-in and
[12:58.810 --> 13:02.050]  those security lines can be a headache. And of course, you
[13:02.050 --> 13:06.610]  forgot to pack your headphones. It's a long flight ahead of us to Vegas.
[13:06.610 --> 13:10.570]  So, DEF CON safe mode, secure aerospace travelers,
[13:10.570 --> 13:14.070]  do you? Well, stop what you're doing because
[13:14.070 --> 13:19.110]  you've got to have your headphones, noise-canceling headphones,
[13:19.110 --> 13:22.830]  and knowing your luck so far, there's probably going to be
[13:23.130 --> 13:29.990]  a screaming child or disruptive, I don't know, people. So,
[13:29.990 --> 13:34.490]  do you stop and buy them now? Or maybe we'll wait a little bit.
[13:34.490 --> 13:38.150]  If there's a place to buy some closer to the gate,
[13:38.150 --> 13:41.070]  sure, we'll go with that. Or quite frankly,
[13:41.690 --> 13:44.890]  you're feeling lucky. You're going to go for a roll the dice.
[13:44.890 --> 13:50.970]  And well, who cares? Well, a slight, slight, slight majority
[13:50.970 --> 13:55.530]  went with, who cares? You'll figure something out and you'll find a way to
[13:55.530 --> 13:59.310]  entertain yourself without your headphones. Which, when it
[13:59.310 --> 14:02.890]  comes to airport vendors and the threats of data breaches,
[14:03.450 --> 14:09.050]  probably wasn't a bad idea. So, now you've made it to decision
[14:09.050 --> 14:13.970]  point number six. Your departure gate is farther from the main terminal
[14:13.970 --> 14:17.630]  than you originally thought. It's time to move
[14:17.630 --> 14:20.690]  and get in those steps. But quite frankly,
[14:20.690 --> 14:24.770]  who wants to carry our bags that far? I mean, keeping in mind,
[14:24.770 --> 14:31.490]  we've got a carry-on and a backpack. And while, while we've got our traveling
[14:31.490 --> 14:35.290]  shoes on, we haven't been exercising quite as much
[14:35.290 --> 14:40.150]  during COVID. So, DEFCON safe mode, secure aerospace
[14:40.150 --> 14:43.390]  travelers, what do you want to do? Do you want to
[14:43.390 --> 14:46.470]  take the people mover? Take the airport train?
[14:46.470 --> 14:53.770]  Or, one, two step, let's walk there. And you chose to walk there.
[14:53.770 --> 14:58.670]  Which, while we're going to get in the steps and we're going to walk this way,
[14:59.070 --> 15:05.190]  we had a double whammy. Both delays as well as the dreaded
[15:05.190 --> 15:09.890]  agent cyber squirrel. Well, in this case, just an agent squirrel.
[15:09.930 --> 15:17.390]  Because LAX, on Thanksgiving Day 2015, had cyber squirrel reports,
[15:17.550 --> 15:22.970]  a squirrel plus a transformer. Which, in this case, while the power outages
[15:22.970 --> 15:26.530]  weren't severe in the surrounding area, at the airport
[15:26.530 --> 15:30.610]  you had the moving walkways, the elevators,
[15:30.610 --> 15:36.210]  the escalators, the screening equipment, the baggage screening equipment that
[15:36.210 --> 15:38.890]  just stopped. So, while none of the outages
[15:38.890 --> 15:44.310]  completely shut down the airport, well, for those of us trying to get our
[15:44.310 --> 15:48.350]  bags from security checkpoint to terminal,
[15:48.350 --> 15:51.710]  it's going to be a little bit of a long hike. All those
[15:51.710 --> 15:55.130]  speedy ways to get there are no longer at our advantage.
[15:55.130 --> 15:58.810]  Thanks to Captain Chaos, cyber squirrel.
[16:00.110 --> 16:04.150]  But, we finally made it to the gate area.
[16:04.150 --> 16:11.190]  And, well, decision point number seven. In this case, you know,
[16:11.190 --> 16:15.630]  beer pairs well with breakfast, right? We have had to deal with
[16:15.630 --> 16:22.270]  all kinds of different challenges and, well, there are no seats at the bar.
[16:22.830 --> 16:26.210]  The restaurant doesn't look too crowded and,
[16:26.210 --> 16:31.050]  well, a table it is, if that's what we want to do.
[16:31.430 --> 16:35.390]  So, DEFCON safe mode, secure aerospace travelers.
[16:35.610 --> 16:43.130]  What do we want to do? Do we, okay, take time, stop for one-on-one only
[16:43.130 --> 16:48.450]  because, well, again, beer pairs well with breakfast?
[16:49.010 --> 16:53.610]  Or, do we decide to wait a little bit because, quite frankly,
[16:53.610 --> 16:58.810]  we're in first class. Oh, did I mention we only travel first class?
[16:58.810 --> 17:02.810]  And first class has beer, even in the morning.
[17:02.810 --> 17:10.930]  And it looks like the majority of us, well, chose beer first class,
[17:10.930 --> 17:13.850]  not going to stop, which is not a bad thing
[17:13.850 --> 17:19.530]  because one of the other hidden hazards are the point-of-sale systems
[17:20.130 --> 17:23.270]  and the threats in restaurants of data breaches.
[17:23.270 --> 17:27.670]  Not only that, there's also a potential for delays.
[17:27.850 --> 17:32.250]  You don't know what systems the airport or restaurants at airports are running
[17:32.250 --> 17:35.850]  off of. Are they bringing in their own Wi-Fi
[17:35.850 --> 17:41.390]  network or are they piggybacking off of an airport facilities or nearby
[17:41.390 --> 17:47.110]  vendors or hers? Are they piggybacking off of,
[17:47.110 --> 17:52.890]  well, free airport Wi-Fi? That's not secure.
[17:53.470 --> 17:59.670]  But there's no rest for the wicked. And as we reach decision point eight,
[17:59.670 --> 18:03.770]  well, not only is there no rest for the wicked, there's no rest for travelers
[18:03.770 --> 18:09.290]  with laptops and deadlines because we don't get to fly first class
[18:09.290 --> 18:15.170]  and we're not heading to DEFCON unless we're big shots and we need to
[18:15.170 --> 18:20.890]  review a draft file and respond ASAP. So we pulled our laptop
[18:20.890 --> 18:26.430]  and DEFCON safe mode, secure aerospace travelers. What do we do
[18:26.430 --> 18:29.670]  next? Do we tether to our cell phone to
[18:29.670 --> 18:34.090]  connect for Wi-Fi? Do we use the airport's free Wi-Fi?
[18:34.630 --> 18:40.710]  Or do we carry a cell tower in our backpack? Because, you know,
[18:40.710 --> 18:46.370]  Wi-Fi pineapple and Wi-Fi cactus, they could have made it through airport
[18:46.370 --> 18:50.530]  security. So let's see. And while
[18:51.130 --> 18:57.550]  while we do miss the sights of pineapple Wi-Fi
[18:58.010 --> 19:03.990]  and cell towers in our backpack, the good thing is is our data coverage
[19:03.990 --> 19:07.950]  on our cell phone will allow us to tether to it.
[19:07.970 --> 19:13.490]  Which, tether not to free Wi-Fi because the threats there are data
[19:13.490 --> 19:14.470]  breaches.
[19:16.290 --> 19:19.970]  So as we've sat, we've reviewed our documents,
[19:19.970 --> 19:23.550]  and we're looking around, we've reached decision point number nine
[19:24.090 --> 19:27.690]  because storm clouds are gathering on the horizon.
[19:27.870 --> 19:32.390]  And we think, hmm, there may be potential flight delays.
[19:32.430 --> 19:39.370]  Locusts, storms, it's not winter, but still stranger things have happened.
[19:39.410 --> 19:42.790]  And what happens if we miss our connection?
[19:43.050 --> 19:47.130]  Luckily, the airline we're flying on has an app.
[19:47.130 --> 19:51.470]  We can see over in the distance that there's a counter.
[19:51.470 --> 19:54.030]  There's a little bit of a line at the counter, but
[19:54.670 --> 19:58.530]  not enough to deter us. So what are we going to do?
[19:58.570 --> 20:01.770]  One, are we going to face down the storm because
[20:03.710 --> 20:09.870]  as DEFCON safe mode airspace travelers, let's admit it, we are the storm.
[20:10.250 --> 20:13.910]  Do we use the airline's app and switch to a later flight?
[20:13.910 --> 20:16.670]  Or do we go up to the counter and talk to the person
[20:17.070 --> 20:21.490]  from the airline and attempt to rebook? In a slight,
[20:21.490 --> 20:25.110]  slight majority, we decide to go to the counter
[20:25.110 --> 20:31.770]  and rebook, which turns out to be probably a pretty good idea because
[20:31.770 --> 20:36.690]  airline ticketing systems and those apps both have delays because
[20:36.690 --> 20:40.610]  if the app is out or
[20:40.610 --> 20:45.350]  hasn't been developed, you have problems with data breaches.
[20:45.350 --> 20:49.110]  For example, EasyJet had 9 million travel records
[20:49.110 --> 20:56.030]  taken in a data breach. And the British Airways was fined a record
[20:56.030 --> 21:00.470]  230 million dollars after a data breach exposed the booking
[21:00.470 --> 21:04.310]  details of over half a million customers.
[21:04.390 --> 21:08.330]  Hackers had siphoned off thousands of credit card numbers after installing
[21:08.330 --> 21:12.650]  skimming malware on its website. So it's a good thing
[21:12.650 --> 21:15.690]  we didn't go to the website or use the app
[21:15.690 --> 21:20.870]  because that would have been bad. Instead, we just talked to a live person
[21:20.870 --> 21:27.470]  which is daunting enough, but at least we're still on track for our
[21:27.470 --> 21:30.550]  flight. Yet,
[21:32.590 --> 21:38.150]  because check-in counters do have software glitches as well.
[21:38.150 --> 21:44.050]  And well, unfortunately, as highlighted the Greater Toronto
[21:44.050 --> 21:48.430]  Airports Authority, they had an outage with their airline
[21:48.950 --> 21:52.190]  check-in system that impacted processes at both
[21:52.190 --> 21:58.370]  Terminal 1, 3, and had IBM technicians working with the technology
[21:58.370 --> 22:01.790]  authority to solve the problem. So the fears aren't
[22:01.790 --> 22:05.550]  always just the airlines. You also have to look
[22:05.550 --> 22:09.150]  at, well, what happens with the airline authorities?
[22:09.450 --> 22:14.810]  And are they providing assistance? Can they have those
[22:14.810 --> 22:17.230]  handles? And what happens when their systems go down?
[22:17.510 --> 22:21.130]  In Toronto's case, if you had checked in online
[22:21.130 --> 22:25.590]  ahead of time, which we did, you would have been fine.
[22:25.590 --> 22:29.250]  But then what happens when you're trying to rebook? And if you're
[22:29.790 --> 22:34.190]  having checked baggage and having to move through the airport, it caused
[22:34.190 --> 22:38.610]  additional delays. So unfortunately in our journey, we've
[22:38.610 --> 22:41.830]  had the potential, we've avoided most of this
[22:41.830 --> 22:45.210]  data breach issues, but we've been delayed.
[22:45.210 --> 22:49.350]  Not enough to miss our flight, but we've been delayed slightly.
[22:49.350 --> 22:53.050]  Which leads us to, we finally get to our gate.
[22:53.050 --> 22:59.950]  We show up and it's decision number 10. Surprise!
[23:01.010 --> 23:07.230]  It's a gate change and it's a crowded and noisy terminal.
[23:07.410 --> 23:14.090]  And let's be honest, who can ever truly hear what the airline
[23:14.930 --> 23:18.930]  attendants are saying and when they're announcing where you're supposed to go?
[23:18.930 --> 23:25.790]  Because we didn't catch it. The PA system was terrible. Now,
[23:25.790 --> 23:28.990]  where did they move our flight? What gate? Is it
[23:28.990 --> 23:35.470]  even on the same terminal anymore? We need to find out. So DEFCON,
[23:35.470 --> 23:41.290]  safe mode, secure airspace travelers, what do we do? Do we check the nearby
[23:41.290 --> 23:46.130]  display screens? Do we go to the airline app, cross our
[23:46.130 --> 23:51.630]  fingers and hope that it's updated? Or do we ask a stranger nearby? We've
[23:51.630 --> 23:56.410]  already spoken to one person. We spoke at the counter. That's a lot of
[23:56.410 --> 24:00.510]  peopling for one day. So an overwhelming majority
[24:01.130 --> 24:05.650]  didn't trust the app. Instead, we chose to check the display
[24:05.650 --> 24:09.890]  screens. Well, gate display screens
[24:10.430 --> 24:18.130]  are one of the big areas for delays. What do we mean? You knew it was going to
[24:18.130 --> 24:23.490]  pop its head somewhere in the story. Well, ransomware. It's not just about
[24:23.490 --> 24:28.110]  taking down data. It takes down the systems as well. And
[24:28.110 --> 24:32.390]  in this case, the, well, Bristol airport
[24:32.390 --> 24:36.450]  got to find out exactly what that means when,
[24:36.450 --> 24:44.030]  in 2018, ransomware took out their signage with their gate information.
[24:44.630 --> 24:48.410]  Staff were left with having to hold up whiteboards
[24:48.410 --> 24:52.570]  directing people for where their flights are going. So in real time
[24:52.570 --> 24:56.150]  are having to take that information, write it out,
[24:56.150 --> 24:59.450]  and what happens when they start running out of whiteboard space? Well, they found
[24:59.450 --> 25:02.950]  out. It caused delays. So again, not a data
[25:02.950 --> 25:06.430]  breach because our data information isn't on
[25:06.430 --> 25:11.170]  those screens. But instead, it did cause a delay.
[25:11.430 --> 25:15.370]  We're cutting it awfully close to departure time, aren't we?
[25:16.010 --> 25:21.150]  Well, it's about time for boarding.
[25:21.290 --> 25:24.270]  And we're, we think we found where the right gate is.
[25:24.270 --> 25:30.770]  But at decision 11, hmm, what happens
[25:31.760 --> 25:35.070]  when the direction that we go? I mean, we can either
[25:35.070 --> 25:38.850]  go right or left. And we're savvy travelers.
[25:38.850 --> 25:44.930]  And while our frustrations are mounting, we're not going to panic. No,
[25:44.930 --> 25:49.410]  instead, DEFCON safe mode. Secure aerospace travelers.
[25:49.610 --> 25:55.990]  What do we decide to do? We can risk it. Go left. If it's wrong, we'll go right.
[25:56.530 --> 26:02.250]  Well, turns out the airport has its own app that, of course, while we're
[26:02.250 --> 26:06.770]  bored, we downloaded it. And, hmm, we can talk
[26:06.770 --> 26:10.430]  about whether to download stuff to our cell phone without properly
[26:10.430 --> 26:14.310]  vetting. But it also has a navigation feature.
[26:14.310 --> 26:18.490]  We want to choose that. Then again, we think about
[26:18.490 --> 26:22.010]  the issues with Garmin and all the other,
[26:22.010 --> 26:28.330]  well, where's our app data being sent? Where's our location data being sent?
[26:28.870 --> 26:32.170]  So, maybe we're not going to go there. And
[26:32.170 --> 26:36.950]  while we know some of the signage in the airport is out,
[26:36.950 --> 26:41.790]  surely not all of the signage is out. I mean, we can check the digital directory
[26:41.790 --> 26:45.810]  signs because, you know, they're running on a
[26:45.810 --> 26:52.270]  different system, aren't they? Spoiler alert. Most of the time, no.
[26:52.270 --> 26:55.610]  And the other thing is there's hidden dangers
[26:55.610 --> 26:59.550]  with the directory signs as well because,
[26:59.550 --> 27:03.530]  let's think of, think back to, oh, I don't know,
[27:03.530 --> 27:06.950]  some of the botnets, like the Mirai botnet
[27:06.950 --> 27:13.970]  that liked target IoT devices. Those LG screens you see all around the
[27:13.970 --> 27:18.290]  airport, what are those? But, waiting, danger,
[27:18.290 --> 27:22.630]  waiting to happen. In this case, we're going to risk it.
[27:22.630 --> 27:26.770]  We're not going to panic. We're going to check those digital directory signs
[27:26.770 --> 27:30.810]  because surely, surely, they're not all out again.
[27:30.810 --> 27:35.330]  Well, get ready for delays again because
[27:36.490 --> 27:41.090]  ransomware has hit multiple airports again,
[27:41.090 --> 27:44.970]  impacting the digital signage around the airport,
[27:44.970 --> 27:49.510]  displaying, again, only back black screens.
[27:49.510 --> 27:52.950]  Cleveland Hopkins International had this happen
[27:52.950 --> 27:57.970]  in April 2019, you know, back when people flew still,
[27:57.970 --> 28:02.250]  and took out their computing systems as well.
[28:02.250 --> 28:05.830]  So, like that, you had to worry about whether their email,
[28:05.830 --> 28:09.870]  their internal app, their internal direction, if they're able to get some
[28:09.870 --> 28:14.950]  of the information out of it. So, once again, wasn't our data that we
[28:14.950 --> 28:19.510]  were worried about as much here, but our ability to catch our flight.
[28:19.510 --> 28:24.110]  We're getting really delayed here, which leads us to,
[28:24.110 --> 28:28.330]  okay, we finally found the right direction.
[28:28.330 --> 28:32.390]  We're heading there. We're almost there. We skipped that beer
[28:32.390 --> 28:36.830]  because there was going to be some of that on first class.
[28:37.090 --> 28:40.730]  So, we're walking by the newsstand and we spot the bestseller
[28:40.730 --> 28:46.010]  Burnin book, and we've been meaning to read it. I mean,
[28:46.010 --> 28:49.130]  Honest Cole and Peter Swinger did a great job,
[28:49.130 --> 28:55.390]  we heard, in bringing and predicting all of these IoT
[28:55.390 --> 28:59.730]  connected smart city, and one of my favorite,
[28:59.730 --> 29:05.090]  drone issues. And, well, we heard that lawyers get the
[29:05.090 --> 29:08.530]  short end of the stick, and this, and who doesn't like to see
[29:08.530 --> 29:13.750]  bad things happen to lawyers? So, DEF CON safe mode, secure airspace
[29:13.750 --> 29:16.830]  travelers, what are we going to do? Are we going to
[29:16.830 --> 29:21.770]  stop, get a book, and, oh wait, look, there's a sign at
[29:21.770 --> 29:26.470]  checkout that says, if you pay via this payment app,
[29:26.470 --> 29:29.850]  you'll get a free coffee. So, we didn't have a beer.
[29:29.850 --> 29:32.930]  Who doesn't want a free coffee? So, do we decide to
[29:32.930 --> 29:37.890]  go for the coffee, or buy the book, skip the coffee? We don't need another
[29:37.890 --> 29:41.610]  frequent shopper card. We don't need another stamp.
[29:41.690 --> 29:44.910]  Then again, it's on our business credit card, so
[29:45.450 --> 29:48.810]  who cares? I would never do that. I would never pick that one.
[29:48.810 --> 29:55.110]  But, for the purposes of our narration, who cares? It's the company's card.
[29:55.110 --> 30:01.950]  The data gets stolen, not our problem. Well, luckily, you chose to buy the book
[30:01.950 --> 30:06.430]  and skip the coffee. Solid choice, an excellent read,
[30:06.430 --> 30:10.890]  especially considering, well, you didn't pick up the headphones.
[30:10.890 --> 30:14.450]  Because again, the payment systems in the shops
[30:14.450 --> 30:18.550]  are notorious for data breaches, as well as, well,
[30:18.550 --> 30:22.630]  best practices. And with those third-party payment
[30:22.630 --> 30:25.610]  apps and different things, even within the
[30:26.390 --> 30:30.790]  airports, you've had currency exchanges go down to different attacks.
[30:30.790 --> 30:36.870]  So, okay, we finally made it to the gate.
[30:36.930 --> 30:41.050]  And well, we've made its decision, lucky 13.
[30:41.050 --> 30:44.390]  We've grabbed a seat in the boarding area, and we noticed that our cell phone
[30:44.390 --> 30:48.370]  battery is really low. I mean, we tethered it so
[30:48.370 --> 30:51.990]  that we could send and review those documents and
[30:51.990 --> 30:56.830]  those files. And well, how are we going to tweet and
[30:56.830 --> 31:01.670]  text from the flight? So, savvy DEF CON safe mode
[31:01.670 --> 31:05.290]  aerospace travelers, what are we going to do?
[31:05.910 --> 31:09.350]  Use the extra charger you're carrying in your backpack, because while you're not
[31:09.350 --> 31:13.810]  carrying a cell phone tower, well, you do know to pack an extra
[31:13.810 --> 31:19.550]  charger. Do we wait? Risk it? Because we are
[31:19.550 --> 31:23.230]  first class, and as we know from flying first
[31:23.230 --> 31:27.710]  class frequently, there's chargers,
[31:27.710 --> 31:32.090]  or there's outlets, and there's our free beer.
[31:32.290 --> 31:39.150]  Or do we go and find an outfit, or excuse me, an outlet, because
[31:39.150 --> 31:42.870]  quite frankly, you never know. And again,
[31:42.870 --> 31:46.370]  tweeting, how else are we going to show people that we're sitting in first class
[31:46.370 --> 31:49.670]  if we can't tweet a picture of us sitting
[31:49.670 --> 31:54.530]  in first class holding our free beer? Well,
[31:55.370 --> 32:01.770]  charging devices. Well, in this case, we're going to fall victim to Agent
[32:01.770 --> 32:07.670]  Cyber Squirrel, because Agent Cyber Squirrel, Captain Chaos,
[32:07.670 --> 32:11.190]  likes to cause brief power outages. And again,
[32:11.190 --> 32:15.430]  in this case, it was by Buffalo Niagara Falls
[32:15.430 --> 32:21.790]  or Niagara International Airport, caused a brief power outage. It affected
[32:21.790 --> 32:25.250]  gates, well, a select number of gates. It only
[32:25.250 --> 32:28.310]  caused one flight to be delayed for a few minutes.
[32:28.390 --> 32:35.610]  But in this case, luckily, we had our charger with us.
[32:35.610 --> 32:40.030]  So while Agent Squirrel caused a power outage at our gate,
[32:40.030 --> 32:44.530]  again, he didn't cause us to have any issues because
[32:44.530 --> 32:50.850]  our backup charger was fully charged. Well,
[32:51.390 --> 32:58.090]  decision time. It's finally, the gate agent is calling our flight.
[32:58.090 --> 33:04.310]  And don't forget, we're first class, because that's how we roll.
[33:04.310 --> 33:08.150]  And with first class, we're the first ones to board.
[33:08.710 --> 33:14.310]  But we notice, oh lovely, the airline is testing facial
[33:14.310 --> 33:18.510]  recognition for the boarding process. And you notice
[33:18.510 --> 33:24.370]  the line is piling up. So what are we going to do?
[33:24.370 --> 33:31.370]  We've made it this far. We have really got it close. And quite frankly,
[33:31.370 --> 33:36.450]  we're tired. So weary DEFCON safe mode, secure
[33:36.450 --> 33:42.050]  aerospace travelers. What do you decide to do? Do you
[33:42.050 --> 33:46.090]  opt out? Because you've heard all those stories about facial recognition
[33:46.730 --> 33:49.890]  and you know that a lot of those algorithms are wrong.
[33:49.890 --> 33:54.610]  And that's not to get into, well quite frankly, it's just an affront.
[33:54.610 --> 33:58.450]  You're not looking picture perfect right now.
[33:58.830 --> 34:02.370]  Eh, might as well. If it's going to keep the
[34:02.370 --> 34:05.990]  boarding process moving, and if it's going to be convenient,
[34:06.490 --> 34:13.630]  sure. But we did get that new AI facial recognition
[34:13.630 --> 34:18.510]  defeating tattoo and makeup.
[34:18.510 --> 34:22.110]  And while it was funny going through security,
[34:22.110 --> 34:30.150]  we're so close to boarding our flight. In this case, you decided
[34:30.150 --> 34:37.950]  stand up on principle and no, we're going to opt out and use the
[34:37.950 --> 34:43.810]  paper boarding pass. Well, not only does facial recognition
[34:44.630 --> 34:47.250]  at the gates and also throughout the airports
[34:48.030 --> 34:54.530]  with ticketing cause data breaches. And what happens? Are you going to get a
[34:54.530 --> 34:58.370]  new news job because your information, your biometrics
[34:58.370 --> 35:02.530]  are out there? It also causes delays. So
[35:03.170 --> 35:06.770]  you can opt out, but that's opting into wait
[35:07.430 --> 35:12.990]  and wait and wait. Because as we've learned through several
[35:12.990 --> 35:18.490]  different approaches, that yeah, you can opt out.
[35:18.830 --> 35:21.710]  And Zach Whitaker has a whole article from
[35:21.710 --> 35:26.150]  May 2019 that walks you through it. But know that
[35:27.330 --> 35:33.070]  opting out means they're going to go manual so that the airline staff will
[35:33.070 --> 35:37.210]  manually check your passport or boarding pass
[35:37.850 --> 35:41.830]  like they would normally do when you're boarding a plane. That also means
[35:41.830 --> 35:45.050]  you've got to sit to the side and everyone else who's going through the
[35:45.050 --> 35:49.570]  facial recognition is probably going to bump up ahead of
[35:49.570 --> 35:51.870]  you. So what's the point of having our first
[35:51.870 --> 35:56.850]  class perks if we're going to sit to the side?
[35:56.850 --> 36:00.150]  Well, that's assuming the facial recognition
[36:00.150 --> 36:04.310]  technology and equipment is even working. Because
[36:04.310 --> 36:07.730]  according to one of the watchdog groups, the facial
[36:07.730 --> 36:13.350]  recognition systems at airports only worked 85 percent
[36:13.350 --> 36:20.470]  in some cases. And quite frankly, we've got that new face tattoo. And
[36:20.470 --> 36:26.150]  well, all those delays and delays and delays were waiting
[36:26.150 --> 36:33.230]  and waiting and waiting. Well, and that's okay because quite
[36:33.230 --> 36:36.310]  frankly, we still made it onto our flight
[36:37.470 --> 36:41.670]  with our data breached through several different
[36:42.230 --> 36:48.530]  choices as well as our delays. But when the weather clears and our
[36:48.530 --> 36:51.390]  flights cleared from ticketing to takeoff,
[36:51.390 --> 36:52.890]  we've made it.
[36:54.070 --> 36:57.450]  And really through this hacking adventure,
[36:57.450 --> 37:01.710]  we've learned several different things. We've watched how the airports,
[37:01.710 --> 37:07.390]  the airlines, and well, vendors and different service providers all play
[37:07.390 --> 37:11.090]  together. And all some of the pressure points for
[37:11.090 --> 37:15.350]  where cyber security has a lot of policy, has a lot of
[37:15.350 --> 37:18.410]  room for development. But one of the other things to keep in
[37:18.410 --> 37:22.190]  mind is with each of the choices, there was a lot that we haven't
[37:22.190 --> 37:25.050]  uncovered or that we didn't get to discuss.
[37:25.050 --> 37:28.290]  Much like the choose your own adventures, you chose
[37:28.290 --> 37:35.490]  well, wisely, but you also chose poorly. You didn't die of
[37:35.490 --> 37:41.490]  dystheria. You didn't die, or excuse me, you didn't die of dysentery.
[37:41.490 --> 37:46.190]  You didn't die from agent cyber squirrel.
[37:46.610 --> 37:50.110]  But it's opened the doors and discussions to see
[37:50.110 --> 37:53.950]  how you would do the next time you go through, whether you would make the same
[37:53.950 --> 37:57.470]  choices. Because from ticketing to takeoff,
[37:57.470 --> 38:01.490]  airports truly are a hacking choose your own adventure.
[38:01.530 --> 38:06.430]  It's been fun to be your tour guide and I encourage you to check out the rest of
[38:06.430 --> 38:09.850]  the aerospace village and all that DEF CON has to offer as we
[38:09.850 --> 38:15.170]  go into safe mode and go digital. Find me at LawyerLiz and
[38:15.170 --> 38:19.490]  also follow Scythe at scythe underscore io.
[38:19.490 --> 38:21.830]  Thanks for flying with us.
